Tag Archives: internet_of_things

Google Launches IoT Service for Managing Devices at Scale

Google today announced a fully-managed Google Cloud Platform (GCP) service called Google Cloud IoT Core, aimed at allowing companies to securely connect and manage IoT devices at scale. Indranil Chakraborty, Google Cloud Product Manager says: “Many enterprises that rely on industrial devices such as sensors, conveyor belts, farming equipment, medical equipment and pumps — particularly, globally distributed ones — are struggling to monitor and manage those devices for several reasons.” Those reasons Chakraborty says include: operational cost and complexity, patchwork security, and data fragmentation. “Cloud IoT Core is designed to help resolve these problems by removing risk, complexity and data silos from the device monitoring and management process.”

Follow CircleID on Twitter

More under: Cloud Computing, Internet of Things

Continue reading

Posted in circleid | Tagged , | Comments Off on Google Launches IoT Service for Managing Devices at Scale

8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their ‘brick-and-mortar’ counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.

What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company’s bottom line can be catastrophic.

But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the ‘3 lines of defense’ approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.

More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:

1) Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.

2) Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company’s ability to stay in business. Period.

3) Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure can increase revenues and drive bottom-line performance. In this respect, shareholders must not only expect cyber excellence, they should demand it.

4) Financial management – There is clearly a direct correlation between cyber-related risk events (e.g. reputation damage, business disruption, fines, etc.) and financial loss. The severity and impact of such risks can be mitigated by integrating business strategy with cybersecurity strategy. The importance here is even more pronounced given the global economic downturn and depressed profits being experienced by several businesses.

5) Public safety – An increasing number of companies are delivering products/services in the areas of smart grids, smart cities, automated public transit, power installations, autonomous vehicles, etc. Possessing core expertise in the alignment of cybersecurity and business operations will set these organizations apart in their respective market environments in terms of public safety. There are also distinct national security implications when we think of these technologies in the context of potential threats to human life.

6) Business development – In 2004, the global cybersecurity market was valued at $3.5 billion. In 2017, it is now estimated to be worth $120 billion. But this value is primarily based on the number of products and services delivered. And while there is huge growth potential within the existing paradigm, there is a massive economic opportunity in fostering a commercial ecosystem built on online trust. Take for example the growing popularity of global trust audit and scoring offerings. Increasingly, more and more organizations are developing solutions to combat the proliferation of fake news. As it relates to IoT, consortiums are being formed to fill the security gaps in product design (i.e. Existing markets can be strengthened through collaboration and coordination). And these are just a few examples of the emergent market for Trust-as-a-Service (TaaS).

7) Corporate social responsibility – There are numerous benefits to CSR programs, ranging from enhancing brand loyalty to securing and retaining investors to attracting/retaining engaged and productive employees. So along that vein, social responsibility investment in cyber-related areas such as child online protection, secure coding for women, hackathons and cybersecurity research is a savvy approach to cementing market position. As a result, companies can promote good security as a selling point for their products and services, create a pipeline for the best cybersecurity talent, and leverage their cyber-specific supply chains to build consumer trust.

8) Mergers & acquisitions – Businesses must recognize the importance of cybersecurity due diligence in the M&A process. Due to a low standard for due diligence, several corporations find out about major cyber incidents only after an acquisition deal has gone through. In actuality, serious cybersecurity issues around compliance, data breaches, poor security architecture or the absence of incident response processes should be uncovered before finalizing a transaction. In the case of Verizon’s acquisition of Yahoo!, the final offer was cut by almost $400 million due to revelations about cybersecurity incidents. A 2016 survey by the NYSE indicated that over 50% of respondents regarded major security vulnerabilities as a ‘show stopper’ for a merger or acquisition.

Considering that end users are generally regarded as the weakest points in cyber defenses, logic dictates that cybersecurity should begin with the individual. Every single employee must be engaged and involved in defending the organization from online threats. It is they who most often access enterprise applications, networks and devices, and will undoubtedly serve as the first line of protection against hackers. Executives and board members are targeted due to their access to key digital assets; and because of the traditional fortification of the network perimeter, line workers are the focus of threat agents seeking to gain entry into the network or escalate their privileges to access sensitive information. Indeed, both executives and employees represent vectors to the same ultimate objective — the compromise of internal systems and access to critical data. Hence, development of an effective cybersecurity strategy must involve tight coupling of security practices with business operations to bolster an organization’s overall security posture. The most damaging misstep organizations can make — and often do — is relegating this function to an understaffed and underfunded IT department.

Written by Niel Harper

Follow CircleID on Twitter

More under: Cybercrime, Internet of Things, Security

Continue reading

Posted in circleid | Tagged , , | Comments Off on 8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

IoT Devices Will Never Be Secure – Enter the Programmable Networks

Harvard Business Review just ran an interesting article on the information security aspects of Internet of Things (IoT). Based on the storyline, the smart city initiatives are doomed to fail unless the security of the IoT devices and the systems will be improved. While security of the digital society is obviously a key concern, I am not entirely convinced that relying on the security of individual devices and systems is the best course of action.

The biggest problem with IoT security is that most devices are going to be relatively simple and inexpensive connected things. The bandwidth consumption of these devices should be kept to the minimum to save bandwidth. Yet at the same time, security is supposed to be a continuous process. This involves a party that is responsible for keeping an eye on the various security vulnerabilities that emerge from time to time, and another one to make sure that suitable patches are being prepared and applied on timely basis.

While with smartphones, laptops, and servers, this work has commonly fallen under the responsibility of the device manufacturer, it is largely because they have been able to generate considerable service revenue from this work. Considering the much lower cost of IoT devices, it is likely that only a small percentage of IoT device users will be willing to pay a premium for such a service. Due to this dynamic, even the devices that leave the factory floor in pristine condition, face the risk of becoming compromised over time.

Therefore, it seems to me that looking at IoT device manufacturers as the likely saviours is wishful thinking at best. The business logic just is not there.

So where to look for answers?

When people think about Internet security, they often forget how the security is being taken care off in the physical world. Rather than trying to lock down and protect every single belonging in one’s household, we tend to rely on locked doors and alarm systems that protect the perimeters of our homes. The things we keep in our houses tend to be reasonably secure, so long as the doors are locked properly, and the windows are not left open.

In much the same way, the IoT devices should be placed within the boundaries of protected network environments. While every IoT device will never be secure, the associated risks are well contained so long as the perimeter of each machine network is secure. To provide an analogy, my keys are not secure if I leave them on the table at Starbucks — but if I place them on a desk at the safety of my home, the situation changes completely.

Over the last couple of years, the network industry has developed technologies such as Software-Defined Wide Area Networking (SD-WAN) and Network Functions Virtualization (NFV) that allow new networks and security services to be deployed automatically. Although these technologies are not widely used for this purpose yet, they hold the key for securing smart cities as well as any other IoT use case the world holds in store for us.

That is why I believe that the future of IoT security lies in programmable networks and the service providers that operate them for us.

Written by Juha Holkkola, Co-Founder and Chief Technologist at FusionLayer Inc.

Follow CircleID on Twitter

More under: Access Providers, Cyberattack, Cybercrime, Data Center, Internet of Things, Malware, Security, Telecom

Continue reading

Posted in circleid | Tagged , , , , , , , | Comments Off on IoT Devices Will Never Be Secure – Enter the Programmable Networks

New Chapter Working Groups Open Closed Doors

One thing was clear from a recent presentation by the new leaders of the SF-Bay Internet Society (ISOC) Chapter Working Groups: inclusion and collaboration will be the key to these groups’ success.

As Dr. Brandie Nonnecke, the Internet Governance Working Group (WG) Chair said, “We haven’t yet cracked the code on what ‘multistakeholder’ means.” But that won’t stop her and Dr. Jaclyn Kerr, the Data Protection, Privacy, and Security WG Chair, from trying. At a recent Chapter Event held on April 10th, 2017, these two innovative leaders laid out an ambitious plan to bridge silos and foster open dialogue in order to work towards the Internet Society’s mission that the Internet is for Everyone.

Focus Areas

These newly-launched Working Groups will focus on the interest areas of the SF Bay Area Chapter members, as determined by their responses to a recent survey. There are three in total: Internet Governance; Data Protection, Privacy & Security; and Internet of Things (IoT), Internet Technologies & Access.

Internet Governance

For the Internet Governance Working Group, Chair Brandie Nonnecke laid out a plan that includes supporting interdisciplinary research, publishing position papers and policy briefs, organizing workshops, symposia, and activities, and supporting a fellowship programme. The goal is to educate and engage stakeholders not traditionally involved in Internet governance. Brandie is well-suited to achieve this goal: she is a PhD whose research focuses on multistakeholderism in internet governance and information and communication technology (ICT) policymaking at the Center of Information Technology Research in the Interest of Society (CITRIS) and the Banatao Institute, UC Berkeley. The WG group is now accepting members; help drive the agenda by applying to join the WG.

Data, Privacy, Security

For the Data Protection, Privacy, and Security Working Group, Chair Jaclyn Kerr discussed the urgency of this issue: due to government surveillance and data breaches, there are serious threats to our online security and privacy. Even at the top level of government, there have been security breaches. Jaclyn discussed working in collaboration with the other WGs and fostering discussion between those involved in tech, civil society, civil liberties, security and academia. Jaclyn is as a Postdoctoral Research Fellow at the Center for Global Security Research (CGSR), Lawrence Livermore National Laboratory, where her research focuses on cybersecurity and information security strategy, Internet governance, and the Internet policies of non-democratic regimes. Apply to join this WG.

IoT

And last but not least, in the IoT, Internet Technologies & Access Working Group, the focus will be on the IoT ecosystem, issues around access, critical Internet infrastructure, innovation and open standards. As more and more devices connect to the Internet, we need to ensure that security concerns, critical resources like IPv4 and IPv6 address space, and technology standards are addressed. Mischa Spiegelmock, who unfortunately could not attend the Chapter Event due to travel, chairs this WG. Mischa is software engineer who currently leads an engineering team at MVS Technical Group Inc., and specializes in information security, database-driven applications, systems programming, UNIX and C. To get involved, apply to join this working group.

Opening Doors

So many decisions about Internet governance, security, and infrastructure happen behind closed doors. The more technical the topic is, the more difficult it is for everyday citizens to get involved, which is a vulnerability for all of us. These Working Groups, the SF-Bay Area Chapter and the Internet Society exist to change that. “The Internet touches every part of our lives and everyone should be equipped with enough knowledge to enable them to have a say in how it is run,” says SF-Bay Area Chapter President and Chair, Susannah Gray. “The SF-Bay Area Chapter provides a neutral platform for you to advocate, learn, educate, and work on these key issues. It was amazing to see so many people come together on April 10 to express their interest, their own areas of focus and their concerns for the future of the Internet: we look forward to working with you all as we continue to build up our Working Groups.”

Get Involved

Get involved today by joining us and almost 2,000 other members (it’s free!), emailing us with your thoughts, applying for open board seats, volunteering, donating, sponsoring the Chapter, or joining one of these powerful Working Groups. There is a reason Board Treasurer Ken Krechmer, one of the Chapter founders, called ISOC the “Continental congress of the Internet.” This is the basis for an open Internet.

You can find the agenda from the April 10 Chapter Event and recording here.

This blog post was written by Jenna Spagnolo on behalf of the San Francisco-Bay Area Internet Society chapter.

Written by Jenna Spagnolo

Follow CircleID on Twitter

More under: Access Providers, Broadband, Censorship, Internet Governance, Internet of Things, Malware, Net Neutrality, Policy & Regulation, Privacy, Security, Web

Continue reading

Posted in circleid | Tagged , , , , , , , , , , | Comments Off on New Chapter Working Groups Open Closed Doors

Permanent Denial-of-Service Attacks on the Rise, Incidents Involve Hardware-Damaging Assaults

Also known loosely as “phlashing” in some circles, Permanent Denial-of-Service (PDoS) is an increasing popular form of cyberattack that damages a system so badly that it requires replacement or reinstallation of hardware. “By exploiting security flaws … Continue reading

Posted in circleid | Tagged , , , | Comments Off on Permanent Denial-of-Service Attacks on the Rise, Incidents Involve Hardware-Damaging Assaults